Facebook's approach to users' data has just been dealt a major blow from the European court of justice (ECJ). In an answer to a question from Germany's highest court, the ECJ's advocate general - whose opinion is not binding but is generally followed by the court - has made an essential clarification to Europe's data protection law to confirm that consumer associations can bring actions on behalf of individuals.
If followed by the ECJ, this will make it much easier for people to defend their rights against tech giants in future. Coming on the back of a decision by the European general court against Google several weeks ago for using its platform power to restrict competitors, it is the latest example of European regulators making the business climate increasingly chilly for the companies that control our data - in sharp contrast to the US.
Facebook and consent
The current case is about the way that Facebook, now known as Meta, in its early years encouraged users to play quizzes and games such as FarmVille, before sharing the results with all their friends. In an action brought by the Federation of Germany Consumer Organisations (VZBV), that was originally heard in 2014, it claimed that Facebook's data protection notice did not clearly explain to users how their data could be shared. It wants the company to be forbidden from using similar consent forms in future.
VZBV won the original case and on appeal, before it was heard by Germany's highest court in May 2020. The judges agreed that Facebook had misled users with the notice, but sought an opinion from the ECJ on Facebook's argument that only individuals and not consumer organisations can bring complaints under the EU's General Data Protection Regulation (GDPR), which governs this area.
The advocate general's recommendation, ahead of a final ECJ decision in 2022, reflects the fact that individuals do not typically start legal proceedings against large companies for a small breach of a rather technical regulation. Suing big firms on behalf of society is what consumers' organisations do, so it would limit people's protection if this was disallowed.
Facebook's approach to games is not the only time there have been questions about how it obtained users' consent over data. It famously sent unsolicited emails to users' contacts when they joined the social network. It also placed "like" buttons on third party websites and harvested the data without seeking users' consent.
One by one, national European regulators have ruled these practices illegal, but always long after the fact. When Facebook was ordered to pay €100,000 (Pound 85,138) by German regulators in 2016 for sending unsolicited emails, for instance, it was clearly too late to affect the company's behaviour on that individual issue.
VZBV has been at the forefront of fighting to make tech giants accountable for customer data since the early 2010s, though not always successfully. It failed in an attempt to stop Facebook claiming its platform is "free and will always be", while making users pay with their private data. It was also unable to require the company to allow users to adopt a pseudonym. Facebook had resisted citing safety concerns, but perhaps also because data on identifiable consumers is more valuable than anonymous ones.
The GDPR and future regulations
As Facebook and other social media companies have continued to develop new techniques to harvest consumer data, the GDPR was adopted by the EU in 2018 as a general framework to clarify the rules. It gives users more control and rights over their own data, requiring clear consent before it can be used.
Pending a decision on consumer organisations, the ECJ has already recently decided that national privacy watchdogs can directly fine tech firms under the GDPR for breaches affecting their citizens. Facebook had claimed only the Irish authority was competent, since its EU headquarters are there. A forthcoming ECJ case will look at giving similar powers to antitrust authorities.
The EU rules around big tech are also set to be strengthened in 2022 with the Digital Services Act and Digital Markets Act. This package of extra restrictions is set to include curbing the uncontrolled spread of unverified and often hateful content, with the potential for penalties of 10% of a company's annual revenue.
And for all the talk of a bonfire of EU data protection rules after Brexit, the forthcoming UK Online Safety Bill goes arguably even further in the same direction, with not only similar fines but potential prison sentences for executives over breaches. The bill may even make Facebook responsible for scams by other companies advertising on the platform.
Major EU countries such as Germany, France and the Netherlands also want the Digital Services Act to block what has become big tech's major strategy to attract new users: identifying non-profitable but successful internet companies, and buying their technology and user base. The UK is now decisively on the same path, as the Competition and Market Authority just ordered Facebook/Meta to sell Giphy, the largest repository of GIFs on the internet, which it bought in 2020 for US$400 million (Pound 301 million).
European regulators are therefore unravelling tech giants' business models one decision after the other. European data regulation is also becoming the de facto global standard because to be allowed to operate in Europe (which generates a quarter of Facebook's annual profits), global tech often has to obey the stricter European rules across the board.
The European logic is that harvesting private data is often a rip-off. People care about privacy but give away their data in exchange for almost nothing, and the government should protect them. American regulators consider this patronising, with the Supreme Court ruling almost 20 years ago that a dominant firm is free to exploit its consumers. Recent whistleblower Frances Haugen has provoked some soul searching in the US, but will probably ultimately struggle to secure meaningful changes to the rules around data and content.
With the likes of the UK now strongly following the path of the EU, the US is becoming increasingly isolated in this area. Meta is still free to make money out of their existing Facebook users in Europe. But as younger generations leave Facebook for the likes of TikTok and Snapchat, it faces increasing difficulties in reaching them and gathering the necessary information to sell their profiles to advertisers. It may therefore be time for companies like Facebook to find new sources of revenue.
Author: Renaud Foucart - Senior Lecturer in Economics, Lancaster University Management School, Lancaster University